-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add optional URL protection to createRegisterHandler (#148)
* validateAllowSaleorUrls impl * Implement in handler and add test * update codeowners * Apply suggestions from code review Co-authored-by: Krzysztof Wolski <[email protected]> * Rename param Co-authored-by: Krzysztof Wolski <[email protected]>
- Loading branch information
1 parent
715eb6a
commit 67cded2
Showing
5 changed files
with
141 additions
and
23 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
* @saleor/devtools | ||
* @saleor/marketplace |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
import { describe, expect, it } from "vitest"; | ||
|
||
import { validateAllowSaleorUrls } from "./validate-allow-saleor-urls"; | ||
|
||
const saleorCloudUrlMock = "https://my-shop.saleor.cloud/graphql/"; | ||
const onPremiseSaleorUrlMock = "https://my-shop-123.aws-services.com/graphql/"; | ||
|
||
const saleorCloudRegexValidator = (url: string) => /https:\/\/.*.saleor.cloud\/graphql\//.test(url); | ||
|
||
describe("validateAllowSaleorUrls", () => { | ||
it("Passes any URL if allow list is empty", () => { | ||
expect(validateAllowSaleorUrls(saleorCloudUrlMock, [])).toBe(true); | ||
expect(validateAllowSaleorUrls(onPremiseSaleorUrlMock, [])).toBe(true); | ||
}); | ||
|
||
it("Passes only for URL that was exactly matched in provided allow list array", () => { | ||
expect(validateAllowSaleorUrls(saleorCloudUrlMock, [saleorCloudUrlMock])).toBe(true); | ||
expect(validateAllowSaleorUrls(onPremiseSaleorUrlMock, [saleorCloudUrlMock])).toBe(false); | ||
}); | ||
|
||
it("Validates against custom function provided to allow list", () => { | ||
expect(validateAllowSaleorUrls(saleorCloudUrlMock, [saleorCloudRegexValidator])).toBe(true); | ||
expect(validateAllowSaleorUrls(onPremiseSaleorUrlMock, [saleorCloudRegexValidator])).toBe( | ||
false | ||
); | ||
}); | ||
|
||
it("Validates against more than one argument in allow list", () => { | ||
expect( | ||
validateAllowSaleorUrls(saleorCloudUrlMock, [ | ||
saleorCloudRegexValidator, | ||
onPremiseSaleorUrlMock, | ||
]) | ||
).toBe(true); | ||
expect( | ||
validateAllowSaleorUrls(onPremiseSaleorUrlMock, [ | ||
saleorCloudRegexValidator, | ||
onPremiseSaleorUrlMock, | ||
]) | ||
).toBe(true); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
import { CreateAppRegisterHandlerOptions } from "./create-app-register-handler"; | ||
|
||
export const validateAllowSaleorUrls = ( | ||
saleorApiUrl: string, | ||
allowedUrls: CreateAppRegisterHandlerOptions["allowedSaleorUrls"] | ||
) => { | ||
if (!allowedUrls || allowedUrls.length === 0) { | ||
return true; | ||
} | ||
|
||
for (const urlOrFn of allowedUrls) { | ||
if (typeof urlOrFn === "string" && urlOrFn === saleorApiUrl) { | ||
return true; | ||
} | ||
|
||
if (typeof urlOrFn === "function" && urlOrFn(saleorApiUrl)) { | ||
return true; | ||
} | ||
} | ||
|
||
return false; | ||
}; |